wildfly 20 shows raw jsp files - called on / context
201 views
Skip to first unread message
Jim Boden
Sep 12, 2023, 3:21:55 PM9/12/23
to WildFly
I'm assuming we have a configuration issue but really can't figure this one out.
We have a one single web app called aa, deployed in aa.war exploded.
In that war, we have a jsp folder with jspx and jsp files.
In standalone.xml we have this for undertow:
<subsystem xmlns="urn:jboss:domain:undertow:11.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" max-parameters="100000" security-realm="ApplicationRealm" enabled-cipher-suites="ALL:!MD5:!RC4:!ADH:!LOW:!3DES" enabled-protocols="TLSv1.2" enable-http2="true"/>
<host name="default-host" alias="localhost" >
<location name="/favicon.ico" handler="favicon"/>
<location name="/" handler="AA"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="404-handler"/>
<filter-ref name="hsts-header"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default" stack-trace-on-error="local-only">
<jsp-config development="true" tag-pooling="false"/>
<websockets/>
</servlet-container>
<handlers>
<file name="favicon" path="${jboss.home.dir}/standalone/deployments/aa.war/favicon.ico"/>
<file name="AA" path="${jboss.home.dir}/standalone/deployments/aa.war" case-sensitive="false"/>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="aa"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="aa"/>
<response-header name="hsts-header" header-name="Strict-Transport-Security" header-value="max-age=31536000;"/>
<error-page name="404-handler" code="404" path="${jboss.home.dir}/standalone/deployments/aa.war/index.htm"/>
</filters>
</subsystem>
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" max-parameters="100000" security-realm="ApplicationRealm" enabled-cipher-suites="ALL:!MD5:!RC4:!ADH:!LOW:!3DES" enabled-protocols="TLSv1.2" enable-http2="true"/>
<host name="default-host" alias="localhost" >
<location name="/favicon.ico" handler="favicon"/>
<location name="/" handler="AA"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="404-handler"/>
<filter-ref name="hsts-header"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default" stack-trace-on-error="local-only">
<jsp-config development="true" tag-pooling="false"/>
<websockets/>
</servlet-container>
<handlers>
<file name="favicon" path="${jboss.home.dir}/standalone/deployments/aa.war/favicon.ico"/>
<file name="AA" path="${jboss.home.dir}/standalone/deployments/aa.war" case-sensitive="false"/>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="aa"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="aa"/>
<response-header name="hsts-header" header-name="Strict-Transport-Security" header-value="max-age=31536000;"/>
<error-page name="404-handler" code="404" path="${jboss.home.dir}/standalone/deployments/aa.war/index.htm"/>
</filters>
</subsystem>
In my .war folder we also have a jboss-web.xml where we set the context root:
<jboss-web>
<context-root>/aa</context-root>
</jboss-web>
<context-root>/aa</context-root>
</jboss-web>
When we go to the aa path, it sends me to the app which has a filter sending me to the login page.
But if I try to get any jsp file directly WITHOUT having aa in my URL, I get the source download. For example:
works file. In my app I send .htm to the .jsp file in a web.xml. Also this:
Gives an error because I have a filter blocking all that stuff in my web app. But this:
Gives the raw jsp downloaded. Since we don't have aa in the path, my application filters are not invoked.
Is there any way to put a massive filter/block so that ANYTHING that does not start with /aa gets redirected to my app? I tried adding default-web-module="aa.war" to the undertow host. That stopped the download but wildfly changed the default context to / so that the jsp files would not get executed.
WFLYUT0021: Registered web context: '/' for server 'default-server'
Then it all worked on / but not on /aa. Users have /aa bookmarked in links to I need that to work.
Any ideas how to stop the download of source code?
Thank you!
Paul Ferraro
Sep 12, 2023, 6:31:44 PM9/12/23
to WildFly
The reason that Undertow is serving your JSPs as files is due to the file handler you defined.
It seems to me that what you _actually_ want is to serve your application from the root context, rather than via "/aa". Correct?
If so, just update your jboss-web.xml to use <context-root>/</context-root>. That way, your application will be served from the root context.
Then get rid of your "AA" and "favicon" file handlers, which appear to be the source of your problem (i.e. JSPs are served as normal files).
Also, get rid of your application filter that blocks access to your JSPs. All *.jsp files will automatically be mapped to the appropriate handler.
Let me know if I've misinterpreted your intentions.
Paul
Reply all
Reply to author
Forward
0 new messages